...
Zero Penalty Hit is a feature of Squid to mark traffic sent to the client based on the cache lookup status (hit, miss, etc.) The use case for this is the management of upstream bandwidth without limiting access to content that's already cached. Here's an example of a Traffic Server plugin that does the same thing but I'm skeptical that it isn't better to directly manage the bandwidth between the proxy and origin? You can mark traffic sent *from* the origin with the Netfilter CONNMARK target (the packets that make up an origin response)What effect does constricting traffic between the proxy and client have on the upstream traffic? See background fill and Read While Writer. The Netfilter CONNMARK target and transparency can help directly manage the bandwidth between the proxy and origin.
Use the tsxs utility to compile the plugin:
Code Block |
---|
|
$ tsxs -o tos.so tos.cc
|
...
This is handy for communicating more detail to iproute2 etc. For example here's how to divide upstream bandwidth equally among all clients with iproute2 and SFQ:
Code Block |
---|
language | bash |
---|
title | records.config |
---|
|
# The source of origin requests and destination of origin responses is
# the address of the client
CONFIG proxy.config.http.server_ports STRING 8080:tr-out
|
Code Block |
---|
|
# Remember if traffic originated from our internetInternet connection
iptables -t mangle -A PREROUTING -i eth0.2 -j MARK --set-mark 1/1
ifconfig ifb0 up
# A qdisc is required before we can add a filter
insmod sch_prio
tc qdisc add dev br-lan root handle 1 prio
# Shape only traffic originating from our internetInternet connection
# (packet mark 1/1)
insmod cls_u32
insmod act_mirred
tc filter add dev br-lan parent 1: protocol ip pref 1 u32 match mark 1 1 flowid 1:1 action mirred egress redirect dev ifb0
# Don't shape traffic (reorder/delay/drop) while there's available
# capacity. Unfortunately available capacity must be manually
# configured and fine-tuned. The following assumes isolated
# up/downstream capacity (full-duplex).
insmod sch_tbf
tc qdisc add dev eth0.2 root handle 1 tbf rate .5mbit burst 5k latency 70ms
tc qdisc add dev ifb0 root handle 1 tbf rate 2.5mbit burst 5k latency 70ms
# Schedule an equal amount of traffic for each client
insmod sch_sfq
tc qdisc add dev eth0.2 parent 1: handle 2 sfq
tc qdisc add dev ifb0 parent 1: handle 2 sfq
# Divide downstream traffic into clients by destination IP address.
# Divide upstream traffic into clients by *Netfilter connection
# tracking* source IP address (after NAT all upstream traffic shares the
# same source IP address).
insmod cls_flow
tc filter add dev eth0.2 parent 2: pref 1 handle 1 flow hash keys nfct-src divisor 1024
tc filter add dev ifb0 parent 2: protocol ip pref 1 handle 1 flow hash keys dst divisor 1024
|
...
Be careful of ICMP redirects, they can sometimes cause clients to route non-web traffic to the proxy.
Code Block |
---|
language | bash |
---|
title | records.config |
---|
|
# The source of client responses and destination of client requests is
# the address of the origin. The source of origin requests and
# destination of origin responses is the address of the client.
CONFIG proxy.config.http.server_ports STRING 8080:tr-full
|
Code Block |
---|
language | bash |
---|
title | remap.config |
---|
|
# Give high priority to Wikipedia, low priority to YouTube
map http://wikipedia.org http://wikipedia.org @plugin=conf_remap.so @pparam=proxy.config.net.sock_packet_tos_out=0x0c
regex_map http://.*\.wikipedia\.org http://$0 @plugin=conf_remap.so @pparam=proxy.config.net.sock_packet_tos_out=0x0c
map http://youtube.org http://youtube.org @plugin=conf_remap.so @pparam=proxy.config.net.sock_packet_tos_out=0x1c
regex_map http://.*\.youtube\.org http://$0 @plugin=conf_remap.so @pparam=proxy.config.net.sock_packet_tos_out=0x1c
|
Code Block |
---|
|
# Remember if traffic originated from our internetInternet connection
iptables -t mangle -A PREROUTING -i eth0.2 -j MARK --set-mark 1/1
# Route web traffic to the proxy server except traffic already
# originating from it. Matching web traffic by port number isn't
# perfect but it's good enough. This is the MAC address of the proxy
# server. Because it's configured to make origin connections
# transparent this is the only way to match traffic already originating
# from it:
# http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.general/45405
iptables -t mangle -A PREROUTING -m mac --mac-source 00:22:15:d2:1e:61 -j RETURN
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 2/2
iptables -t mangle -A PREROUTING -i eth0.2 -p tcp --sport 80 -j MARK --set-mark 2/2
# Web traffic is medium priority by default but the proxy server further
# breaks down some high/low priority traffic. It communicates this by
# setting the ToS/DiffServ Field (it uses the pool of codepoints reserved
# for experimental or local use, 0x0c/0x0c). Mark the connection to
# remember the priority and apply the same classification to response
# traffic (on which the ToS/DiffServ Field is not set).
iptables -t mangle -A POSTROUTING -m tos --tos 0x0c -j CONNMARK --set-mark 1
iptables -t mangle -A POSTROUTING -m connmark --mark 1 -j CLASSIFY --set-class 2:1
iptables -t mangle -A POSTROUTING -m tos --tos 0x1c -j CONNMARK --set-mark 2
iptables -t mangle -A POSTROUTING -m connmark --mark 2 -j CLASSIFY --set-class 2:3
# Route web traffic to the proxy server
ip route add table 1 via 192.168.1.2
ip rule add fwmark 2/2 table 1
ifconfig ifb0 up
# A qdisc is required before we can add a filter
insmod sch_prio
tc qdisc add dev br-lan root handle 1 prio
# Shape only traffic originating from our internetInternet connection
# (packet mark 1/1)
insmod cls_u32
insmod act_mirred
tc filter add dev br-lan parent 1: protocol ip pref 1 u32 match mark 1 1 flowid 1:1 action mirred egress redirect dev ifb0
# Don't shape traffic (reorder/delay/drop) while there's available
# capacity. Unfortunately available capacity must be manually
# configured and fine-tuned. The following assumes isolated
# up/downstream capacity (full-duplex).
insmod sch_tbf
tc qdisc add dev eth0.2 root handle 1 tbf rate .5mbit burst 5k latency 70ms
tc qdisc add dev ifb0 root handle 1 tbf rate 2.5mbit burst 5k latency 70ms
# Schedule traffic according to three priorities
tc qdisc add dev eth0.2 parent 1: handle 2 prio
tc qdisc add dev ifb0 parent 1: handle 2 prio
# For each priority schedule an equal amount of traffic for each client
insmod sch_sfq
tc qdisc add dev eth0.2 parent 2:1 handle 3 sfq
tc qdisc add dev ifb0 parent 2:1 handle 3 sfq
tc qdisc add dev eth0.2 parent 2:2 handle 4 sfq
tc qdisc add dev ifb0 parent 2:2 handle 4 sfq
tc qdisc add dev eth0.2 parent 2:3 handle 5 sfq
tc qdisc add dev ifb0 parent 2:3 handle 5 sfq
# Divide downstream traffic into clients by destination IP address.
# Divide upstream traffic into clients by *Netfilter connection
# tracking* source IP address (after NAT all upstream traffic shares the
# same source IP address).
insmod cls_flow
tc filter add dev eth0.2 parent 3: pref 1 handle 1 flow hash keys nfct-src divisor 1024
tc filter add dev ifb0 parent 3: protocol ip pref 1 handle 1 flow hash keys dst divisor 1024
tc filter add dev eth0.2 parent 4: pref 1 handle 1 flow hash keys nfct-src divisor 1024
tc filter add dev ifb0 parent 4: protocol ip pref 1 handle 1 flow hash keys dst divisor 1024
tc filter add dev eth0.2 parent 5: pref 1 handle 1 flow hash keys nfct-src divisor 1024
tc filter add dev ifb0 parent 5: protocol ip pref 1 handle 1 flow hash keys dst divisor 1024
|
...